Malware Analysis Report

2024-10-10 10:40

Sample ID 240609-f8846afa97
Target a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693
SHA256 a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693
Tags
socks5systemz botnet discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693

Threat Level: Known bad

The file a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693 was found to be: Known bad.

Malicious Activity Summary

socks5systemz botnet discovery

Socks5Systemz

Detect Socks5Systemz Payload

Executes dropped EXE

Unexpected DNS network traffic destination

Loads dropped DLL

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 05:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 05:33

Reported

2024-06-09 05:36

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 45.155.250.90 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp
PID 380 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp
PID 380 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp
PID 4044 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
PID 4044 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
PID 4044 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
PID 4044 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
PID 4044 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
PID 4044 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe

"C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe"

C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp" /SL5="$600EA,4585671,54272,C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe"

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe

"C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe" -i

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe

"C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe" -s

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.75.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 234.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
SE 45.155.250.90:53 bubkvdl.com udp
US 8.8.8.8:53 90.250.155.45.in-addr.arpa udp
BG 93.123.39.193:80 bubkvdl.com tcp
US 8.8.8.8:53 193.39.123.93.in-addr.arpa udp

Files

memory/380-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/380-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9FUP1.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp

MD5 53a94211658a6bbf3d3a695470f940a6
SHA1 a9909ddfc97dee691e9d60b1257d61a3c1ef4e07
SHA256 d4928c3cacf826943bb44385aac5fb52e6ac69054f31a463df266baf9aa26d01
SHA512 d9c916961abcce8f05089df9cb6310c930aaa29266bfaf378a4dd0c9180ba9186a81393c662ba2a3b1a4da587379d68d532250c1a8d216d44dd532aaf178b402

memory/380-7-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4044-8-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-43TOO.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4044-57-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe

MD5 a0ac562bedc60906db18a7457c4a3e33
SHA1 f9e83a91e0c8609a355bafa25c88a0ae30107fed
SHA256 728d3595972daf3b92bd052193a13a079d0862604c6a88fb3acd739cf08ec38a
SHA512 ccaa43278a250cc6ce03d04344ebd57e928d99e93b83a938eeba65c25a7255de5cadd51bc4d593214a2232c214a47a7c1a0e0ca56cb398e0d74c886470650414

memory/3688-61-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/3688-62-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/3688-63-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/3688-66-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-69-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/380-70-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4044-71-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4560-73-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-76-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-77-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-80-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-82-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-85-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-89-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-90-0x00000000009C0000-0x0000000000A62000-memory.dmp

memory/4560-95-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-98-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-100-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-103-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-106-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-108-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/4560-111-0x0000000000400000-0x00000000006A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 05:33

Reported

2024-06-09 05:36

Platform

win11-20240419-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socks5Systemz

botnet socks5systemz

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp
PID 3348 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp
PID 3348 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp
PID 2176 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
PID 2176 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
PID 2176 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
PID 2176 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
PID 2176 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe
PID 2176 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe

"C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe"

C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp" /SL5="$70054,4585671,54272,C:\Users\Admin\AppData\Local\Temp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.exe"

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe

"C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe" -i

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe

"C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe" -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
HK 141.98.234.31:53 ainobxb.ru udp
BG 93.123.39.193:80 ainobxb.ru tcp
CH 176.10.111.158:2023 tcp

Files

memory/3348-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3348-3-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2S1LF.tmp\a408e2bfa6521362525065c4170d314d83ffddc4ed68514ac01999e61a1dd693.tmp

MD5 53a94211658a6bbf3d3a695470f940a6
SHA1 a9909ddfc97dee691e9d60b1257d61a3c1ef4e07
SHA256 d4928c3cacf826943bb44385aac5fb52e6ac69054f31a463df266baf9aa26d01
SHA512 d9c916961abcce8f05089df9cb6310c930aaa29266bfaf378a4dd0c9180ba9186a81393c662ba2a3b1a4da587379d68d532250c1a8d216d44dd532aaf178b402

memory/2176-13-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FIU0M.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Virtual Sound Card\virtualsoundcard.exe

MD5 a0ac562bedc60906db18a7457c4a3e33
SHA1 f9e83a91e0c8609a355bafa25c88a0ae30107fed
SHA256 728d3595972daf3b92bd052193a13a079d0862604c6a88fb3acd739cf08ec38a
SHA512 ccaa43278a250cc6ce03d04344ebd57e928d99e93b83a938eeba65c25a7255de5cadd51bc4d593214a2232c214a47a7c1a0e0ca56cb398e0d74c886470650414

memory/1808-59-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/1808-63-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/1808-65-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-68-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/1808-60-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/3348-69-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2176-70-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2140-71-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-74-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-77-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-80-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-83-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-86-0x00000000027E0000-0x0000000002882000-memory.dmp

memory/2140-89-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-94-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-97-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-100-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-103-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-106-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-109-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-110-0x00000000027E0000-0x0000000002882000-memory.dmp

memory/2140-111-0x00000000027E0000-0x0000000002882000-memory.dmp

memory/2140-115-0x0000000000400000-0x00000000006A4000-memory.dmp

memory/2140-118-0x0000000000400000-0x00000000006A4000-memory.dmp